An authority in the field of cyber-security as it applies to wealth management lays out ideas for industry professionals in a two-part feature. Here's the first segment.

The war against cyber-attackers continues, and the threat to wealth management institutions such as family offices and private banks is obviously considerable given the scale of wealth that is involved. This publication has tracked this subject for some time, and the editors are delighted that a notable authority and speaker at events organized by Family Wealth Report, Theresa J Pratt of Market Street Trust Company, is adding her insights. Theresa is chief information security officer at her firm, and her straightforward, no-nonsense approach to the topic is ideal at a time when the subject of cyber-security can be full of jargon and obscure terms.

The editors of this news service hope these views stimulate debate. This is the first half of a two-part examination of this topic. Readers who wish to respond should email the editor at tom.burroughes@wealthbriefing.com

For decades, business leaders have sought to find strategic advantages or, at the very least, to keep pace with competitors by using technology. Over the past five years or so, however, the conversation surrounding technology shifted toward the challenges of ensuring information security. Staying ahead of the competition is not the only challenge anymore – it is just as important to stay ahead of potential threats trying to gain access to our information every day.

We have come to the unsettling realization that everything we have done to enable functionality, collaboration and efficiency has created risk. Finding a balance between enabling functionality and maintaining security is a fine line. It is the intent of this article to help find that balance and to have a practical discussion on key areas of focus related to cyber-security: adjusting to a changing regulatory environment through implementation of policies and procedures, as well as training both management and staff.

Due to a recent plethora of large, high-profile data breaches such as Equifax, regulatory bodies are taking notice and creating cyber-security and privacy legislation. The New York State Department of Financial Services (NYDFS) has passed the most stringent cyber regulations in the country (23 NYCRR 500). The European Union has passed privacy regulations with incredibly far reaching effects called General Data Protection Regulation, or GDPR. (You may have recently received several updated privacy policies from subscription services and vendors – those were to comply with GDPR.) This is just likely the beginning, and organizations not currently impacted by these regulations will be affected within five years. Everyone needs to prepare - and preparation is key to compliance.

Compliance, in a nutshell, is all about the three 'P's: policy, practice and proof. To meet compliance requirements, an organization must say what it is going to do (policy), do what it said it would (practice), and document what it did (proof). In many cases, an organization may already have reasonable security practices, but they tend to be undocumented and ad-hoc. Creating comprehensive policies is key to filling in gaps to enhance and complement what you are doing. While this can seem daunting, there are many good resources to help:
 

-- 23 NYCRR 500, the NYSDF regulations, especially section .03, provides an excellent list of which cyber-security policies an organization should have (https://www.dfs.ny.gov/legal/regulations/adoptions/dfsrf500txt.pdf). The Center for Internet Security, Inc. “CIS Controls™” (https://www.cisecurity.org/controls/) is another excellent list, which is grouped by basic controls, foundational controls and organizational controls;
 

-- The SANS institute also has many policy templates (https://www.sans.org/security-resources/policies) to help you get started; and
 

-- Cyber-security consultants may also be a great resource and can help write policies and procedures. It is a good idea to first review the above resources so that you have a reasonable idea of what you need before engaging with a consultant.

Once created, it is essential to implement and practice those policies.  Everyone in your organization needs to be aware of your policies and how to comply, which is where training comes in. Keep in mind, a comprehensive training program does not necessarily need to be expensive, but it must be thorough. The following are some components to consider:
 

-- Incorporate cyber-security training into your employee onboarding program. From day one, emphasize how critical cyber-security is and what each employee’s role and responsibility is. Impart a sense of ownership. Using phrases like “This is our house and it is up to us to protect it” can foster that feeling;
 

-- Take advantage of an on-demand learning system to assign cyber-security courses to all employees. I have assigned seven for this year and will probably assign more next year. There are many vendors --ESET and Zoologic are just a few. This technique provides a strong baseline;
 

Take advantage of the many newsletters, email alerts and blogs to stay abreast of cyber threats. The following is a sample of some I have monitored and distributed as applicable:

-- SANS Ouch Newsletter; 

-- KnowBe4 email alerts; 

-- ICS.sans.edu – includes podcasts, forums, and email alerts. This tends to be technical but can be a great early warning system for current threats; 

-- Bring in outside resources. One of my most effective training sessions involved two local FBI agents talking to staff about threats. Employees still talk about what they learned. Take advantage of training and awareness events offered by local colleges, industry organizations and law enforcement agencies. Use anyone and everyone who can and will reinforce what you need your employees to know;

-- Take advantage of National Cyber Security Awareness Month (October). Plan “events” during the month to drive home the critical nature of cyber-security but also have some fun. For example, we crafted a bunch of phishing emails and sent them to staff on what we called “Spot the Phish Day.” Each employee who reported a phishing email received a prize (Goldfish crackers); and   

-- Conduct regular penetration testing with a third party and make sure social engineering is part of the test. If anyone falls victim, work with them one on one.

It is important that employees are aware of the different types of threats. Social engineering, as mentioned above, is a notable example and a constant threat to organizations today. This is a new form of an old problem where criminals use con-artist techniques to trick an individual into giving up login names, passwords, and other sensitive information or resources. It comes in many forms: in-person, phone, text message, email… The only defense an organization has is smart, savvy employees who can recognize and prevent the attack. This is achieved through constant training.

The importance of employee training cannot be overstated. Combining a strong training program with a comprehensive manual of security policies and procedures is a significant start towards improving overall cyber-security posture.

The last of our three ‘P's is proof.  Now that you have comprehensive policies and your organization is well equipped to follow them, you need a system to document and prove that you are compliant. Consider using tools you may already have at your disposal.

As an example, many automated functions, such as back-up procedures or self-tests can be configured to send email alerts. Enable the alerts, create a dedicated mailbox for them, and collect them there. Take advantage of email rules to organize the alerts by filing them into separate folders. This will go a long way towards getting organized and providing proof of compliance. Once this is finished, do a gap analysis to determine what other areas of proof need to be documented and strategize how to manage the documentation, including the reporting interval. Many times this can take the form of reporting to the board of directors or to a sub-committee of the board.

In the next article, I will delve into two more key focus areas of a strong cyber-security program: patch management and third-party management. These components, when taken together and effectively managed, form the core of effective cyber-security.

About the author:

Theresa's responsibilities focus on cyber-security, complying with the New York State Department of Financial Services regulations, and strategic efficiencies through technological enhancements. She joined Market Street in 2012. Previously, she worked for CRB Consulting Engineers as its corporate applications manager. In this role, Theresa led the team that supported all major corporate applications, including accounting, intranet, secured client portals and CRB's website. Theresa is an adjunct instructor for Elmira College, teaching Information Technology in their business management program. She also serves on the board of the Chemung County Veterans Monument organization. Theresa holds a BA and M.S. from Elmira College in Information Technology Management, Microsoft Certification in VB.net programming and has completed executive certification in negotiation through Notre Dame University. She has also spoken at various events, including a conference on cyber-security and family offices hosted by the publisher of this news service.